Hit by ransomware? You really need to report it

Opinion: The verdict is in: if you’ve been a victim of a ransomware attack, you will almost certainly be required to report the breach to the Privacy Commissioner and the people likely affected.

In what is the clearest guidance industry has been given on notification obligations in the event of a ransomware attack, this news came with the release of the Office of the Australian Information Commissioner’s January-June 2021 Notifiable Data Breach Report.

The Privacy Commissioner recently said ransomware’s rise was concerning. Credit: Shutterstock/Andrey_Popov

In this report, the OAIC states:

“It is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred.”

This statement seems to be plain commonsense when you consider the factors at play in a ransomware or data theft extortion incident: the depth and breadth of personal information held by most organisations in Australia in the digital age; the majority of ransomware attacks affect the majority of data held by a victim organisation; and, this type of breach is perpetrated by criminals seeking to do harm for profit. In these circumstances it would be exceptional to be able to demonstrate how such a breach would be unlikely to lead to a serious risk to individuals.

Although it may seem obvious at face value, clearly the OAIC has found the need to expressly state this fact and remove any doubt as to a loophole existing for organisations to avoid reporting to the regulator when they’ve been hit by ransomware.

To date, organisations may have been relying on a lack of evidence of exfiltration to justify not reporting a ransomware breach to the Privacy Commissioner and affected individuals. In such circumstances, organisations are most likely failing to understand that the threshold tests for determining whether a breach is reportable is based on ‘the more likely than not’ test – or to use a legal term, “on the balance of probabilities”.

So, if your organisation is the custodian of information that is likely to cause serious harm to individuals when it is likely to be in the possession…